Pipelines administrator console

Sections

The Pipelines administrator console allows on premises administrators (SuperUsers) to administer the Pipelines on premises installation.

Activities that can be accomplished from the console include:

  • User account management
    • Change a user's password
    • Change a user's email
    • Manage which users are Super Users
    • See a user's account details
  • View the Task Queue (Builds)
  • View the DM Queue (Deploys)
  • View Pipelines Services and Status
  • Access the on-premises Enterprise Options
    • Enterprise integrations configuration
    • Agent information
    • DynamoDB table information
    • Docker image configuration
    • Switching between Pipelines for Applications and Pipelines for Containers

To navigate to the console of a Pipelines on premises install, you must first ensure you are logged in with a Pipelines Super User.

Simply change the path, query, and any parameters of the URL to console. Here is an example:

http://www.distelli.example.com/console

Enable switching between Pipelines for Applications and Pipelines for Containers

If your organization uses both Pipelines for Applications and Pipelines for Containers, you can enable easy switching between your instances of the two products.

  1. In the Pipelines console, click Settings, then click PFA/PFC.
  2. Set the toggle to Enable Pipelines for Containers.
  3. Enter the URL for your Pipelines for Containers instance.
  4. Click Confirm URL.

Users of your Pipelines for Applications instance will now be able to switch between the two products by using the product switching feature in the main navigation bar of the Pipelines for Applications web UI.

Set up SAML

Pipelines on-premise enterprise installations can support SAML (Security Assertion Markup Language) authentication from a SAML IDP (IDentity Provider).

This document describes the configuration of Pipelines’ SAML feature to integrate with a SAML IDP.

In the console, navigate to the Enterprise tab.

In the Console / Enterprise Settings click the SAML tab.

The fields are as follows:

Enable SAML Authentication

This checkbox toggles SAML authentication on and off.

Note: If you save a misconfigured SAML configuration or your SAML IDP is not properly configured, you may be locked out of Pipelines. This scenario would require someone to disable SAML from the database.

Public Signing Certificate

The SAML IDP public signing certificate is used to verify SAML assertions from the IDP. This will need to be provided by your enterprise SAML team.

Attribute Mapping

Certain attributes need to be sent to Pipelines in the SAML assertion. Pipelines needs to know what are the field names, from your SAML IDP assertion, that correspond to the attribute needed by Pipelines. These are as follows:

  • First name - The user's first name.
  • Last name - The user's last name.
  • Email address - The user's email address. This field must be unique across all users as this is the unique identifier of a user.
  • Username - The user's Pipelines username.

Run Test

The Run Test button will execute a simple authentication query to your SAML IDP and expect a working response.

Save

Remember that after you save, if things are not configured correctly on Pipelines or the SAML IDP, users may be locked out. It would be best if you test this from a separate browser window.

SAML IDP

Your enterprise SAML team will have to configure their IDP to communicate with Pipelines. They will need the following information:

  • They will have to provide the IDP public signing certificate to enter in Pipelines.
  • They will have to register Pipelines as an application with permissions to interact with the IDP.
  • They will need to know the Pipelines SAML redirect url of <your-distelli-www-url.domain>/saml.
  • They will have to provide the IDP initiated SSO URL that Pipelines will use to direct user auth requests.
  • They will need to provide the SAML attribute names that come back in the SAML assertion for the following fields.
    • First name - The user’s first name.
    • Last name - The user’s last name.
    • Email address - The user’s email address. This field must be unique across all users as this is the unique identifier of a user.
    • Username - The user’s Pipelines username. This field must be globally unique across all users.

Set up LDAP

Pipelines on-premise enterprise installations can support LDAP (Lightweight Directory Access Protocol) authentication. When enabling LDAP on Pipelines, all users are managed through LDAP. This includes group (team) memberships. Users can no longer sign in to Pipelines without an LDAP login.

Pipelines uses samAccountName as the Pipelines username and the mail field as the Pipelines email. These must be unique across all users and must remain consistent. A Pipelines super user can change a users email. Pipelines usernames cannot be changed.

When logging in to Pipelines with LDAP, the following rules apply.

  1. The username must exist in LDAP.
  2. The user must not have "User must change password at next log on" enabled. Pipelines will appropriately message in this case.
  3. The user must belong to an LDAP security group that is mapped to a Pipelines group. If not, the user will be denied entry.

The first time a user logs in to Pipelines with their LDAP username, an account will be created for them.

When a user logs into Pipelines with their LDAP username, any LDAP groups they are a member of that are mapped to Pipelines groups will cause that user to be added as a user to the account the Pipelines group exists in, and the user will be added to that accounts Pipelines group for RBAC permissions.

After LDAP is enabled, you can no longer manage account users and group memberships in Pipelines. These are solely managed by LDAP now.

Setup LDAP

You can access the LDAP setup screen from the Pipelines administrator console. This requires logging into Pipelines with a super user or the d1 root account.

On the console, click the Enterprise tab.

Finally click the LDAP tab.

Note: Your first time visiting this page may throw an error regarding “cannot retrieve LDAP groups”. It is safe to ignore this.

Here you will want to enter the appropriate values for your LDAP configuration. An example:

LDAP Settings

The fields are as follows

  • LDAP Username - The LDAP userPrincipalName (UPN) that will be used to search LDAP groups for creating LDAP group to Pipelines group mappings.
  • LDAP Password - The password associated with the previous UPN.
  • Host Endpoint - The LDAP connection string for the top of the tree you wish Pipelines to search through recursively.
  • Username Prefix - The LDAP domain that users exist in. When logging in, this string will be prepended to the samAccountName as domain/samAccountName.
  • CA Certificate - The domain root certificate. Pipelines only uses LDAPS to communicate.

After entering the values, click the Run Test button to ensure they are working as expected.

Warning: Do NOT Enable LDAP Configuration until you have read the balance of this document.

Click the Save button to save the settings.

Before Enabling LDAP

Pipelines Groups

You must first ensure you have at least one Pipelines group that is mapped to one or more LDAP groups. These are typically created in a shared team account. You can create a shared team account from the Pipelines console.

Create a shared team account:
  1. While in the Pipelines concole, click Accounts from the top.
  2. On the top right, click Create Account.
  3. Create new account
  4. Click Create.
Navigate to the shared team account:
  1. Change the URL to the username of the account just created.

Go to new account

Create a Group:
  1. Click the gear icon on the top right.
  2. Click the Groups link on the left menu.
  3. Click the + Create New Group link.
  4. Give the group a Group Name and an optional Group Description.
  5. Click the Create button.
  6. Go to new account
  7. Go through and set the permissions as appropriate for this group. You will typically want a full access group for each team account to ensure you can delegate administration of the team account.
  8. Save the group when you are finished.
Create an LDAP Group Mapping

The next steps will be done back in the LDAP Enterprise console page.

  1. On the LDAP Enterprise console page, at the bottom, under LDAP Group, click Select Group.
  2. Create LDAP Mapping
  3. Select the LDAP Group you wish to map to a Pipelines group.
  4. Now select the Pipelines Account that the Pipelines group is in.
  5. Select the Pipelines Group that will be mapped to the LDAP group.
  6. Finally click Add Mapping.

Create LDAP Mapping

When you enable LDAP and a user logs in, that is a member of a mapped LDAP group, that user will be provided RBAC based access to the team account that the Pipelines group belongs to based on the Pipelines group permissions.

Pipelines will periodically query the mapped LDAP groups for membership and update user membership in the appropriate Pipelines group(s).

An LDAP group can be mapped to multiple Pipelines groups and multiple LDAP groups can be mapped to the same Pipelines group. You must create individual mappings for each.

If you click the View Permissions link on the right, you will be navigated to the Pipelines group to view the permissions.

Create a Super User

You must create a Pipelines super user that has an LDAP login. Remember, for this user to log into Pipelines after LDAP is enabled, the user must be in an LDAP group mapped to a Pipelines group.

  1. Find an LDAP user that will be used to administer Pipelines at a root level, for example, your LDAP login.
    1. Get the users LDAP samAccountName = Pipelines username.
    2. Get the users LDAP mail = Pipelines email

    If this user already exists in Pipelines with these exact same values you will not need to create the user, but will still need to make the user a super user.

    Remember, you can edit a Pipelines users email from the console. You cannot change a Pipelines username.

  2. Using the Pipelines console Create Account button, create the LDAP user in Pipelines. Make sure you remember this users Pipelines password. The Pipelines password does not have to be the same as the users LDAP password.
  3. In the Pipelines console make the user a Super User by clicking the Make Super User link under the User Settings gear icon.
  4. Make Super User

Enable LDAP

Before enabling LDAP, login to Pipelines with the super user from the previous section Create a Super User.

Navigate to the Enterprise console LDAP Configuration page.

Check the [x] Enable LDAP Configuration.

Pipelines will validate whether the current super user, that is attempting to enable LDAP, can login to LDAP before allowing LDAP to be enabled.

Warning: After successfully activating LDAP, DO NOT leave this page. There are some tests to be done first to ensure things are working and you won’t get locked out.

In a new browser window, not tab, but a full new browser session open Pipelines. This can be easily accomplished by using a Chrome icognito browser session. Do not do this with the browser you currently have open to the LDAP page. You may want to go to another computer.

Attempt to login to Pipelines with your super user LDAP samAccountName and LDAP password.

If this is successful, congratulations. You are ready to have your users login to Pipelines with LDAP. Remember:

  • Users who do not belong to an LDAP group that is mapped to a Pipelines group will be denied access to Pipelines.
  • Users whose LDAP account is in a state of "User must change password at next log on" cannot login to Pipelines.
  • If an LDAP user attempts to log in and their email already exists for a Pipelines user but the LDAP user samAccountName doesn't match that Pipelines user username, the user will be denied access.
  • If an LDAP users samAccountName already exists as a Pipelines username and the Pipelines email is not the same as the LDAP users mail, the user will be denied access.
  • LDAP users that are disabled will be denied access to Pipelines.

In all the situations above, the user will be appropriately messaged so action can be taken.

A Pipelines super user can resolve email conflicts.

GCP OAuth

When running Pipelines on premises, certain OAUTH services require an OAUTH application for clients (users) to authenticate against.

To accomodate this, Pipelines asks that you login to the service and create an OAUTH application for this usage.

Creating a GCP OAUTH Application

  1. Login to Google Cloud. Realize that you want to use a google account that will not leave your organization.
  2. Go to the Console, at the top right.
  3. Ensure you are on the Dashboard on the left.
  4. Under the section titled Explore other services click the Enable APIs and get credentials like keys.
  5. This should take you to https://console.cloud.google.com/apis/library

  6. Click Compute Engine API.
  7. Click Credentials on the left.
  8. Click Create Credentials.
  9. Click Oauth client ID from the drop down list.
  10. Enter the following:
  11. GCP App Oauth Setup Notes about the above entries:
    • You can see that this is a Web application.
    • The name Pipelines Example can be any name you wish. This will be shown to your users when they OAUTH their GCP account to Pipelines.
    • Finally, you must set the Authorized redirect URIs. This will always be:
    • PROTOCOL://URL_TO_DISTELLI_web UI/88751e72/googleOauth If you are using HTTP and HTTPS, ensure you include both.
  12. Click Create.
  13. You will be shown your OAUTH Client ID and Client secret. Copy these to enter in the console in Pipelines next.

  14. Login to your instance of Pipelines as a Super User.
  15. Navigate to the Console.
  16. Click Enterprise link at top.
  17. Select Integrations tab.
  18. Scroll down to Google and enter the Client ID and Client secret.
  19. GCP App Oauth Setup
  20. Click the Save icon on the right to save your settings.

Validate

To validate, connect a Pipelines user to GCP.

  1. Have a user who has a GCP account, login to Pipelines.
  2. Click the Gear at the top right.
  3. Click the Integrations link on the left.
  4. Click the Google Cloud icon.
  5. Click the Connect Google Cloud Platform button.
  6. GCP App Oauth Client
  7. Click the Allow button.

Your users are successfully connecting their GCP account with your installation if Pipelines on premises.

Note: If you change the GCP application Auth ID/Secret in the console, your users will have to re-auth their GCP accounts.

Slack OAuth

When running Pipelines on premises, certain OAUTH services require an OAUTH application for clients (users) to authenticate against.

To accomodate this, Pipelines asks that you login to the service and create an OAUTH application for this usage.

Creating a Slack OAUTH Application

  1. Login to slack.com.
  2. Go to the Team you wish to own the Slack Application.
  3. Click the drop down from the top left of Slack.
  4. Slack Menu
  5. Select Apps & integrations from the drop down.
  6. This will take you to the Slack App Directory.

  7. Click the Build link at the top right.
  8. Click the Get Started with Slack Apps button.
  9. Click the Your Apps link at the top right.
  10. Click the Create App button.
  11. Set the options similar to below.
  12. Slack app setup Notes about the above entries:
    • The App Name will be the name your users see when authorizing the slack OAUTH.
    • The Team is the team you wish to own this application.
    • You can use the following graphic for the Icon.
    • Pipelines Logo
    • You can find instructions on how to install your Slack app here.
    • Set the Link to support for your Slack app as appropriate for your organization.
    • The Redirect URI(s) are critical.
  13. Click the Create App button.
  14. After your app is created you will find yourself at the App page in Slack.

  15. Click the App Credentials link on the left.
  16. You will be shown your OAUTH Client ID and Client secret. Copy these to enter in the console in Pipelines next.

    Validate

    To validate, connect a Pipelines user to Slack.
    1. Hava a user who is a member of a Slack team, login to Pipelines.
    2. Click the Gear at the top right.
    3. Click the Integrations link on the left.
    4. Click the Slack icon.
    5. Click the Add to Slack button.
    6. You may be prompted to choose your team if you are a member of more than one. Choose the one you wish to integrate with Pipelines.

      Slack app setup
    7. Click the Authorize button to authorize.
    8. Your users are successfully connecting their Slack team with your installation if Pipelines on premises. **Caution:** If you change the Slack application Auth ID/Secret in the console, your users will have to re-auth their Slack accounts.
How helpful was this page?
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.